From

Thank you

Sorry

When it comes to information security, there are a lot of “misperceptions” and “exaggerations” about both the threats facing businesses and the technologies that might be used to protect their important data assets, according to Gartner analyst Jay Heiser.

These false assumptions all add up to “security myths” that have gained wide credence among security pros, the employees they’re trying to protect from data loss and the business managers apt to blame chief information security officers (CISO) for breaches and other mishaps. Heiser, in his presentation on this topic at the Gartner Security & Risk Management Summit held in National Harbor, Md., held forth on his “Top 10 Security Myths”:

Myth #1: “It won’t happen to me”

Cause: Inured by hype over risk, and letting employees do whatever they want to avoid expense and responsibilities.

Cure: Face the business responsibility to confront security-related requests; making use of a security classification framework helps

Myth #2: “Infosec budgets are 10% of IT spend.”

Cause: Wishful thinking---Gartner research shows the budget number is more like 5%.

Cure: get some real data

Myth #3: “Security risks can be quantified”

Cause: Illusion that you can have your security budget if you try to justify it in an Excel spreadsheet, a common misperception in a “numbers-oriented culture” in which it’s thought “he who has the biggest numbers wins.”

Cure: Develop non-numeric expressions of risk, and seek to ensure the business unit takes ownership of its IT-related risks.

Cause: Passing the buck. Lines of business wants security risk to be someone else’s problem, with the CISO shouldering all the risk, even though they don’t feel the CISO should be able to tell them what to do.

Cure: Build an information security program around the culture

Myth 8: “Buy this tool <insert tool here> and it will solve all your problems”

Myth #10: “Encryption is the best way to keep your sensitive files safe”

Cause: When encryption works, it works brilliantly. But it can cause more harm than good when there are naïve expectations about a difficult technology; sometimes it’s a “search for the Holy Grail” or “magic bullets” to shoot down regulatory concerns

Cure: Ensure you have solid experience in cryptography before making decisions

As a final cap, Heiser pointed out that many of these myths arise because of factors that are simply the human propensity to over-react in unfamiliar situations or the common organizational bent to pass the blame to someone else. “Buck passing characterizes bureaucratic risk management,” Heiser noted. He said that “there’s no reason the CISO should just sit there and accept all those hot potatoes,” especially when employees are loading up on consumer computing technologies.